Secure Impersonation Detection

1. A method of performing impersonation detection, the method comprising: receiving, by a client computer, an access request that identifies a user and includes current access request data; after receiving the access request, obtaining, by the client computer from a server computer, (i) encrypted historical access request data representing previous access request activity of the user stored in the server computer and (ii) instructions to perform an impersonation detection operation; and performing, by the client computer while the historical access request data remains encrypted, the impersonation detection operation based on the encrypted historical access request data and the current access request data to produce an impersonation detection result, the impersonation detection result indicating whether the access request was submitted by a person impersonating the user, wherein the method further comprises, prior to the client computer receiving the access request, encrypting, by the client computer, a set of previous device identifiers to produce a set of encrypted previous device identifiers, the set of previous device identifiers identifying a set of previous devices by which a previous access request was submitted by the user; wherein the current access request data includes a set of current device identifiers identifying a set of current devices by which the access request was submitted by the user; wherein the method further comprises encrypting, by the client computer, the set of current device identifiers to produce a set of encrypted current device identifiers; wherein performing the impersonation detection operation includes comparing the set of encrypted previous device identifiers and the set of encrypted current device identifiers to produce a comparison result, the impersonation detection result being based on the comparison result, wherein each of the set of encrypted previous device identifiers is a bit string including bits; wherein the instructions to perform the impersonation detection operation include a respective truth table corresponding to each bit of an encrypted previous device identifier of the set of encrypted previous device identifiers, the truth table corresponding to that bit of the encrypted previous device identifier including entries having (i) possible values of that bit of the encrypted previous device identifier, (ii) possible values of a corresponding bit of a respective encrypted current device identifier of the set of encrypted current device identifiers, and (iii) possible values of an output bit based on the possible values of that bit of the encrypted previous device identifier and the possible values of the corresponding bit of the respective encrypted current device identifier; and wherein comparing the set of encrypted previous device identifiers and the set of encrypted current device identifiers includes, for a truth table corresponding to a bit of the encrypted previous device identifier, locating an entry of the truth table, the entry having the value of a bit of the encrypted previous device identifier and a value of a corresponding bit of the respective encrypted current device identifier to produce a value of a corresponding output bit.

2. A method as in claim 1 , wherein the set of previous device identifiers includes an encrypted hostname of a previous computer on which the previous access request was input; wherein the set of current device identifiers includes an encrypted hostname of a current computer on which the access request was input; and wherein comparing the set of encrypted previous device identifiers and the set of encrypted current device identifiers includes testing whether the encrypted hostname of the previous computer and the encrypted hostname of the current computer are equal, the impersonation detection result indicating that the access request was not submitted by a person impersonating the user in response to the encrypted hostname of the previous device and the encrypted hostname of the current device being equal.

3. A method as in claim 2 , wherein the set of previous device identifiers further includes an encrypted network identifier of a previous network to which the previous computer was connected when the previous access request was submitted; wherein the set of current device identifiers further includes an encrypted network identifier of a current network to which the current computer was connected when the current access request was submitted; and wherein comparing the set of encrypted previous device identifiers and the set of encrypted current device identifiers further includes testing whether the encrypted network identifier of the previous network and the encrypted network identifier of the current network are equal, the impersonation detection result indicating that the access request was not submitted by a person impersonating the user in response to the testing finding that the encrypted network identifier of the previous network and the encrypted network identifier of the current network are equal.

4. A method as in claim 1 , wherein the impersonation detection result includes a risk score, a larger risk score indicating a larger risk that the access request was submitted by a person impersonating the user; wherein performing the impersonation detection operation further includes: inputting, by the client computer, an initial value of the risk score, and modifying the initial value of the risk score based on the comparison result to produce, as the impersonation detection result, a modified value of the risk score.

5. A method as in claim 4 , wherein the encrypted historical access data also includes a speed bit string representing (i) a previous time at which the previous access request was submitted and (ii) a previous geolocation of the previous computer at the previous time; wherein the current access request data includes (i) a current time at which the access request was submitted by the user and (ii) a current geolocation of the current device at the current time; wherein performing the impersonation detection operation includes: decrypting the speed bit string to produce the previous geolocation and the previous time, generating a speed based on the current geolocation, the previous geolocation, the current time, and the previous time, and producing the initial value of the risk score based on the speed.

6. A method as in claim 4 , wherein the encrypted historical access data also includes an encrypted previous country identifier identifying a previous country from which the previous access request was submitted; wherein the current access request data includes an encrypted current country identifier identifying a current country from which the current access request was submitted; wherein comparing the set of encrypted previous device identifiers and the set of encrypted current device identifiers includes testing whether the encrypted previous country identifier and the encrypted current country identifier are equal; and wherein modifying the initial value of the risk score includes, in response to the encrypted previous country identifier and the encrypted current country identifier being equal, multiplying the initial value of the risk score by a risk score reduction factor to produce a reduced risk score, the risk score reduction factor being a number between zero and 1.

7. A method as in claim 1 , further comprising, for each bit of the set of encrypted previous device identifiers: replacing, by the server computer, each possible bit value of each entry of the truth table corresponding to a bit of the encrypted previous device identifier with a respective randomly generated bit string of a fixed length; within each entry of the truth table, using, by the server computer, the randomly generated bit strings that replace the value of the bit of the encrypted previous device identifier and the value of the bit of the encrypted current device identifier to encrypt the randomly generated bit string replacing the output bit of that entry; and shuffling, by the server computer, the entries of the truth table to produce a garbled truth table; and wherein locating the entry of the truth table includes: selecting the entry of the truth table for which the randomly generated bit strings that replace the value of the bit of the encrypted previous device identifier and the value of the bit of the encrypted current device identifier successfully decrypt the encrypted randomly generated bit string replacing the output bit of that entry.

8. A method as in claim 1 , wherein encrypting the set of previous device identifiers to produce the set of encrypted previous device identifiers includes: generating a previous salt value, concatenating the previous salt value and a previous device identifier of the set of previous device identifiers to produce a previous concatenated string, generating a previous keyed-hash message authentication code (HMAC) from the previous concatenated string, and producing an encrypted previous device identifier from a predetermined number of the least significant bits of the previous HMAC; and wherein encrypting the set of current device identifiers to produce the set of encrypted current device identifiers includes: receiving the previous salt value, concatenating the previous salt value and a current device identifier of the set of current device identifiers to produce a current concatenated string, generating a current HMAC from the current concatenated string, and producing an encrypted current device identifier from the predetermined number of the least significant bits of the current HMAC.

9. A method as in claim 8 , wherein the method further comprises, after performing the impersonation detection operation: generating, by the client computer, a new salt value that is distinct from the previous salt value; concatenating the new salt value and a current device identifier of the set of current device identifiers to produce a new concatenated string, generating a new HMAC from the new concatenated string, producing an new encrypted previous device identifier from the predetermined number of the least significant bits of the new HMAC, and sending the new encrypted previous device identifier to the server computer, the server computer being unable to identify whether the user has any repeating values of the current device identifier.

10. A method as in claim 1 , wherein the access request received by the client computer is received from an electronic device separate from both the client computer and the server computer.

11. A method as in claim 1 , wherein the method further includes, prior to receiving the access request that identifies the user and includes current access request data: receiving, by the client computer a set of legitimate access requests from a user device of a legitimate user separate from both the client computer and the server computer; transmitting, the set of legitimate access requests from the legitimate user to the server computer from the client computer in encrypted form; and storing, by the server computer, the set of legitimate access requests from the legitimate user, the set of legitimate access requests from the legitimate user forming at least a part of the encrypted historical access request data.

12. A method as in claim 1 , wherein each of a set of encrypted previous device identifiers is a bit string including bits; wherein the instructions to perform the impersonation detection operation include a respective truth table corresponding to each bit of an encrypted previous device identifier of the set of encrypted previous device identifiers received from the server computer and forming at least a part of the encrypted historical access request data; wherein the truth table corresponding to that bit of the encrypted previous device identifier includes entries having (i) possible values of that bit of the encrypted previous device identifier, (ii) possible values of a corresponding bit of a respective encrypted current device identifier of a set of encrypted current device identifiers produced by encrypting the current device identifiers, and (iii) possible values of an output bit based on the possible values of that bit of the encrypted previous device identifier and the possible values of the corresponding bit of the respective encrypted current device identifier; and wherein comparing the set of encrypted previous device identifiers and the set of encrypted current device identifiers includes, for a truth table corresponding to a bit of the encrypted previous device identifier, locating an entry of the truth table, the entry having the value of a bit of the encrypted previous device identifier and a value of a corresponding bit of the respective encrypted current device identifier to produce a value of a corresponding output bit.

13. An electronic system constructed and arranged to perform impersonation detection, the electronic system comprising: a server computer; and a client computer including a network interface, memory, and controlling circuitry coupled to the memory, the controlling circuitry being constructed and arranged to: receive an access request that identifies a user and includes current access request data; after receiving the access request, obtain, from the server computer, (i) encrypted historical access request data representing previous access request activity of the user stored in the server computer and (ii) instructions to perform an impersonation detection operation; and perform, while the historical access request data remains encrypted, the impersonation detection operation based on the encrypted historical access request data and the current access request data to produce an impersonation detection result, the impersonation detection result indicating whether the access request was submitted by a person impersonating the user, wherein the controlling circuitry of the client computer is further constructed and arranged to, prior to the client computer receiving the access request, encrypt a set of previous device identifiers to produce a set of encrypted previous device identifiers, the set of previous device identifiers identifying a set of previous devices by which a previous access request was submitted by the user; wherein the current access request data includes a set of current device identifiers identifying a set of current devices by which the access request was submitted by the user; wherein the controlling circuitry of the client computer is further constructed and arranged to encrypt the set of current device identifiers to produce a set of encrypted current device identifiers; wherein the controlling circuitry of the client computer constructed and arranged to perform the impersonation detection operation is further constructed and arranged to compare the set of encrypted previous device identifiers and the set of encrypted current device identifiers to produce a comparison result, the impersonation detection result being based on the comparison result, wherein each of the set of encrypted previous device identifiers is a bit string including bits; wherein the instructions to perform the impersonation detection operation include a respective truth table corresponding to each bit of an encrypted previous device identifier of the set of encrypted previous device identifiers, the truth table corresponding to that bit of the encrypted previous device identifier including entries having (i) possible values of that bit of the encrypted previous device identifier, (ii) possible values of a corresponding bit of a respective encrypted current device identifier of the set of encrypted current device identifiers, and (iii) possible values of an output bit based on the possible values of that bit of the encrypted previous device identifier and the possible values of the corresponding bit of the respective encrypted current device identifier; and wherein the controlling circuitry of the client computer constructed and arranged to compare the set of encrypted previous device identifiers and the set of encrypted current device identifiers is further constructed and arranged, for a truth table corresponding to a bit of the encrypted previous device identifier, to locate an entry of the truth table, the entry having the value of a bit of the encrypted previous device identifier and a value of a corresponding bit of the respective encrypted current device identifier to produce a value of a corresponding output bit.

14. An electronic system as in claim 13 , wherein the set of previous device identifiers includes an encrypted hostname of a previous computer on which the previous access request was input; wherein the set of current device identifiers includes an encrypted hostname of a current computer on which the access request was input; and wherein the controlling circuitry of the client computer constructed and arranged to compare the set of encrypted previous device identifiers and the set of encrypted current device identifiers is further constructed and arranged to test whether the encrypted hostname of the previous computer and the encrypted hostname of the current computer are equal, the impersonation detection result indicating that the access request was not submitted by a person impersonating the user in response to the encrypted hostname of the previous device and the encrypted hostname of the current device being equal.

15. An electronic system as in claim 14 , wherein the set of previous device identifiers further includes an encrypted network identifier of a previous network to which the previous computer was connected when the previous access request was submitted; wherein the set of current device identifiers further includes an encrypted network identifier of a current network to which the current computer was connected when the current access request was submitted; and wherein the controlling circuitry of the client computer constructed and arranged to compare the set of encrypted previous device identifiers and the set of encrypted current device identifiers is further constructed and arranged to test whether the encrypted network identifier of the previous network and the encrypted network identifier of the current network are equal, the impersonation detection result indicating that the access request was not submitted by a person impersonating the user in response to the testing finding that the encrypted network identifier of the previous network and the encrypted network identifier of the current network are equal.

16. An electronic system as in claim 13 , wherein the impersonation detection result includes a risk score, a larger risk score indicating a larger risk that the access request was submitted by a person impersonating the user; wherein the controlling circuitry of the client computer constructed and arranged to perform the impersonation detection operation is further constructed and arranged to: input an initial value of the risk score, and modify the initial value of the risk score based on the comparison result to produce, as the impersonation detection result, a modified value of the risk score.

17. An electronic system as in claim 16 , wherein the encrypted historical access data also includes a speed bit string representing (i) a previous time at which the previous access request was submitted and (ii) a previous geolocation of the previous computer at the previous time; wherein the current access request data includes (i) a current time at which the access request was submitted by the user and (ii) a current geolocation of the current device at the current time; wherein the controlling circuitry of the client computer constructed and arranged to perform the impersonation detection operation is further constructed and arranged to: decrypt the speed bit string to produce the previous geolocation and the previous time, generate a speed based on the current geolocation, the previous geolocation, the current time, and the previous time, and produce the initial value of the risk score based on the speed.

18. An electronic system as in claim 16 , wherein the encrypted historical access data also includes an encrypted previous country identifier identifying a previous country from which the previous access request was submitted; wherein the current access request data includes an encrypted current country identifier identifying a current country from which the current access request was submitted; wherein the controlling circuitry of the client computer constructed and arranged to compare the set of encrypted previous device identifiers and the set of encrypted current device identifiers is further constructed and arranged to test whether the encrypted previous country identifier and the encrypted current country identifier are equal; and wherein the controlling circuitry of the client computer constructed and arranged to modify the initial value of the risk score is further constructed and arranged to, in response to the encrypted previous country identifier and the encrypted current country identifier being equal, multiply the initial value of the risk score by a risk score reduction factor to produce a reduced risk score, the risk score reduction factor being a number between zero and 1.

19. A computer program product including a non-transitory, computer-readable storage medium which stores executable code, which when executed by a client computer, causes the client computer to perform a method of performing impersonation detection, the method comprising: receiving an access request that identifies a user and includes current access request data; after receiving the access request, obtaining, from a server computer, (i) encrypted historical access request data representing previous access request activity of the user stored in the server computer and (ii) instructions to perform an impersonation detection operation; and performing, while the historical access request data remains encrypted, the impersonation detection operation based on the encrypted historical access request data and the current access request data to produce an impersonation detection result, the impersonation detection result indicating whether the access request was submitted by a person impersonating the user, wherein the set of previous device identifiers includes an encrypted hostname of a previous computer on which the previous access request was input; wherein the set of current device identifiers includes an encrypted hostname of a current computer on which the access request was input; wherein comparing the set of encrypted previous device identifiers and the set of encrypted current device identifiers includes testing whether the encrypted hostname of the previous computer and the encrypted hostname of the current computer are equal, the impersonation detection result indicating that the access request was not submitted by a person impersonating the user in response to the encrypted hostname of the previous device and the encrypted hostname of the current device being equal, wherein encrypting the set of previous device identifiers to produce the set of encrypted previous device identifiers includes: generating a previous salt value, concatenating the previous salt value and a previous device identifier of the set of previous device identifiers to produce a previous concatenated string, generating a previous keyed-hash message authentication code (HMAC) from the previous concatenated string, and producing an encrypted previous device identifier from a predetermined number of the least significant bits of the previous HMAC; and wherein encrypting the set of current device identifiers to produce the set of encrypted current device identifiers includes: receiving the previous salt value, concatenating the previous salt value and a current device identifier of the set of current device identifiers to produce a current concatenated string, generating a current HMAC from the current concatenated string, and producing an encrypted current device identifier from the predetermined number of the least significant bits of the current HMAC.

20. A computer program product as recited in claim 19 , wherein the method further comprises, after performing the impersonation detection operation: generating, by the client computer, a new salt value that is distinct from the previous salt value; concatenating the new salt value and a current device identifier of the set of current device identifiers to produce a new concatenated string, generating a new HMAC from the new concatenated string, producing an new encrypted previous device identifier from the predetermined number of the least significant bits of the new HMAC, and sending the new encrypted previous device identifier to the server computer, the server computer being unable to identify whether the user has any repeating values of the current device identifier.